Comtarsia

SignOn Agent for Linux 2003

 

User Guide

 

 

December 4, 2003

Version 2003 – Build 1.1.5.11

 

 

 


Contents

1.         SignOn Agent for Linux. 3

1.1    Introduction. 3

1.2    System Requirements. 4

1.3    SignOn Agent Installation. 4

1.4    Starting and Stopping of SignOn Agent 4

1.5    Examples. 5

1.6    Deinstalling SignOn Agent 6

1.7    Configuration Parameter Description. 6

2.         RSA Encryption. 11

2.1    General 11

 

 

 


 

 

1.  SignOn Agent for Linux

 

1.1         Introduction

 

SignOn Agent for Linux is a member of the Comtarsia SignOn Gate product family.

SignOn Agent consists of two modules: system module and Samba module.

This module is responsible for maintaining Linux user accounts.

It has following functions:

 

This module is responsible for maintaining Samba user accounts.

It has following functions:

o        Creation of new Samba user accounts

o        Synchronization of user passwords

 

SignOn Agent for Linux features a variety of configuration options by means of which you can individually customize individual agent functions.

 

Synchronization of Linux system accounts can be used for terminal users who are directly working on the system (e.g. via Telnet or SSH) as well as for users who are using Linux system applications which make use of system accounts (e.g. POP/IMAP server, web server).

 

 

 

Comtarsia SignOn Agent is available for a multitude of platforms and applications besides of Linux. For more information please refer to the Comtarsia SignOn homepage at http://signon.comtarsia.com/

 

 


 

 

 

1.2         System Requirements

 

System Requirements for installation of SignOn Agent Daemon:

·         SUSE Linux Version 8.1 / SCO Linux Server Release 4.0

·         RedHat Linux 8.0 (soon available)

 

Please note that supplied program libraries can vary widely with Linux distributions. Therefore you have to make sure you are using the SignOn Agent version that is compiled for your specific distribution.

 

Requirements for using Sync Agent for Linux:

·         TCP/IP protocol with static IP configuration

 

1.3         SignOn Agent Installation

 

Extract the file sa_linux_X.X.X.tar.gz into a new directory with this command:

„tar zxvf sa_linux_1.0.1.tar.gz“. Now change into directory sa_linux and execute the installation program with command „./sainstall“. Permissions as root are required for installing SignOn Agent.

 

During installation you will be asked for the SignOn Agent program directory as well as the IP address of the SyncProxy server.

 

SignOn Agent will be installed so that it automatically starts upon rebooting of the Linux system. You can customize this behavior to your requirements by changing the Runlevel links.

 

1.4         Starting and Stopping of SignOn Agent

 

Use this script to start and stop SignOn Agent: „/etc/SignOn Agent/SignOn Agentctl“.

 

To start it execute the following command as root:

„/etc/SignOn Agent/SignOn Agentctl start“

 

Stopping works similar to starting:

„/etc/SignOn Agent/SignOn Agentctl stop“

 

If you change configuration parameters while SignOn Agent is active you have to restart the agent for changes to become effective.:

„/etc/SignOn Agent/SignOn Agentctl restart“


1.5         Examples

The following chapter describes the necessary steps to assign a Logon Client user a share on a Samba server.

 

Task formulation:

A share is created on the Samba server, to which all users with the group membership „lnxgrp1“ should have access. The user management is done under OS/2, the resource itself is on the Samba server.

 

Tasks under OS/2:

The group „lnxgrp1“ needs to be assigned to all OS/2 users which should have access to the new Samba share. If needed, the Group-Mapping functionality of the Servolution SignOn Agent for Linux can be used to map a specific OS/2 group to a Linux group.

 

Create the alias under OS/2:

net alias ALIASNAME \\LINUXSERVER c:\daten11

 

The local directory name (in this case c:\daten11) doesn’t need to exist on the OS/2 server, because the resource is on the Samba server, but an arbitrary directory needs to be specified.

 

Assign the alias to a user:

net user USERNAME /assign X:daten11

 

„X“ is the drive letter on which the share will be assigned for the specific user.

 

Tasks under Linux/Samba:

The share folder needs to be created e.g.: „mkdir /shares/daten11“ and correct access permission must be set, e.g.

drwxrws---    3 root     lnxgrp1          208 Jun 12 11:18 daten11

Subsequently the share must be defined in the Samba configuration file „smb.conf“ (default under /etc/samba/).

 

You need to create the following section in the file „smb.conf“.

 [daten11]

          comment = daten11

          path = /shares/daten11

          create mask = 0660

          directory mask = 0770

          writeable = yes

          public = no

          valid users = @lnxgrp1

 

 

 


1.6         Deinstalling SignOn Agent

 

You have to deinstall SignOn Agent for Linux manually.

Delete the following files/directories:

­          /etc/SignOn Agent

­          SignOn Agent bin directory e.g.: /usr/local/SignOn Agent

­          Soft links in the run level directories (/etc/init.d/, /etc/init.d/rc3.d, /etc/init.d/rc5.d)

 

1.7         Configuration Parameter Description

 

The configuration file for SignOn Agent for Linux can be found at /etc/SignOn Agent/SignOn Agent.conf.

 

 


#####################################################################

#

# SignOn Agent.conf

# /etc/SignOn Agent/SignOn Agent.conf is the configuration file for the

# Servolution SignOn Agent daemon Version 1.0.1

# Copyright (c) 2003 Comtarsia It Services GmbH

#

#####################################################################

 

 

# Configuration settings for the CORE module

#

[SA_CORE]

 

# Defines if sync request message is encrypted. Must be ALWAYS 1, if this

# parameter is set to 0 severe problems can occur.

# Default: 1

cryptMessage=1

 

# Defines the installation directory for the SignOn Agent daemon

# Default: /usr/sbin/SignOn Agent

workingDirectory=/usr/sbin/SignOn Agent

 

# Specifies the listener port for incoming sync requests coming from

# the sync proxy. If changing this parameter be sure that the selected port

# number is not used by other services.

# Default: 2000

listenerPort=2000

 

# Specifies the maintenance listener port for the maintenance interface. You

# can connect yourself to the maintenance interface with a TELNET client. When

# connected HELP can be invoked by pressing "? ENTER". If changing this

# parameter be sure that the selected port number is not used by other services.

# This is not supported in the current version.

# Default: 3000

maintenancePort=3000

 

# Defines the standard socket receive timeout for PROXY communication in seconds.

# On expiration of this value the socket connection will be closed by the

# SignOn Agent. This case is shown in the logfile (if logging is activated) as

# "receive error". If this error accumulates contact your network administrator.

# Default: 4

rcvTimeout=4

 

 

# Configuration settings for the LOG module

#

[SA_LOG]

 

# Defines if logging is activated without a maintenance connection, must be 1 if

# you want to log to file.

# Example cases when file logging is activated:

# 1) logToFile=1 AND a maintenance connection is established AND the maintenance

# command "log start" is performed.

# 2) logAlways=1 and logToFile=1

# Default: 1

logAlways=1

 

# Specifies the logfile name (path has to be included)

# Default: /var/log/ComtSignOn Agent.log

logFileName = /var/log/ComtSignOn Agent.log

 

# Defines the desired log level. Loglevel should at least be set to 1 to log all

# error messages which will occur. For more exact system analyses set this

# parameter to a higher level (e.g. during system test phase).

# Be aware that higher log levels than 1 especially 3 (if file logging is activated)

# could consume on high SignOn Agent load a not to neglect amount of disk space.

# 0 no log

# 1 only errors

# 2 log messages

# 3 verbose log level

# Default: 1

logLevel=1

 

# Specifies if the log output should be written to "logFileName".

# For more information see [SA_LOG] -> logAlways.

# Default: 1

logToFile=1

 

# Defines the maximum logfile size in bytes. If this size is reached

# a backup copy of the logfile is made (naming convention is

# <logFileName>_YEAR_MONTH_DAY_HOUR_MINUTE_SECOND) and the logfile

# size is set to 0. If free disk space is less than 50 megabytes the oldest logfile

# backup copy will be deleted.

# Default: 102400

maxLogFileSize=1024000

 

 

# Configuration settings for the SYSTEM module

#

[SA_SYSTEM]

 

# Specifies if the SYSTEM sync module is enabled. The SYSTEM sync module is

# responsible for UNIX user AUTHENTICATION, UNIX user CREATION, UNIX

# PASSWORD synchronization and UNIX GROUP synchronization.

# All further modules will be not processed if the SYSTEM

# module fails. Thus "syncEnabled" must be ALWAYS 1

# Default: 1

syncEnabled=1

 

# Specifies the policy bit field flags for syncing.

# If a previous level fails further operation is canceled.

# (e.g.)

# 0x1 check password (must be ALWAYS set)

# 0x2 create user (must be ALWAYS set)

# 0x4 update user (update the user's supplementary groups)

# default = 7 (all bits set)

syncPolicy=7

 

# Specifies if the user's home directory should be created

# Default: 1

createHomeDir=1

 

# Specifies if on directory creation the users' home directory

# mask should be changed.

# Default: 1

changeHomeDirPermission=1

 

# Specifies the home directory mask to use (octal)

# Default: 0700

homeDirPermissionMask=0700

 

# Specifies if groupmapping is enabled (1 = group mapping is enabled).

# When groupmapping is disabled the supplementary group list send by the client

# is used to update the UNIX group membership.

# When group mapping is enabled (see [SA_GROUPMAPPING]) group mapping

# translation is used.

# Default: 0 (group mapping is disabled)

disableEqualGroupMapping=0

 

# Specifies the except groups. These are groups which will be deleted

# from the users's supplementary group list (groups are separated by ", ").

# Example: root, audio

exceptGroups=root

 

# Specifies the minimum GID. All groups in the supplementary group list which

# group ID is < than minGid are deleted from the user's supplementary group list.

# Default: 30

minGid=30

 

 

# Configuration settings for the SAMBA module

#

[SA_SAMBA]

 

# Specifies if the SAMBA sync module is enabled (1 = enabled). The SAMBA sync

# module is responsible for SAMBA user AUTHENTICATION, SAMBA user CREATION

# and SAMBA PASSWORD synchronization. If the SYSTEM module fails, the SAMBA

# module will be NOT processed.

# Default: 1

syncEnabled=1

 

 

# Proxy accept list

# List of SYNC PROXY IP's form which requests will be accepted. Sync requests

# whose sender is not in this list will be REJECTED and an entry (if logging

# is activated) in the log file is made.

# Maximum list size is 10.

# PROXY1 = ...

# PROXY2 = ...

# ...

[SA_ACCEPTLIST]

 

PROXY1=192.168.2.209

 

#PROXY2=192.168.2.206

 

 

# Groupmapping list.

# The group mapping list describes group mapping translation. The left situated

# group (SOURCE group) in a group mapping entry is checked against the group

# list send by the client. If the SOURCE group is found in the client list the

# TARGET (right situated group of a group mapping entry) group(s) will be

# added to the user's supplementary group list. Groups in the client list which

# do not match to any SOURCE group will be discarded.

# Syntax: "USERLIST GROUP" = "SUPPLEMENTARY GROUP1" [ , "SUPPLEMENTARY
# GROUP2"...]

# Maximum list size is 32.

# Example: OS2GRP1=linuxgrp1, linuxgrp2

[SA_GROUPMAPPING]


 

2.   RSA Encryption

 

2.1         General

 

All data sent from SyncClient and SyncProxy to SignOn Agent are RSA encrypted.

 

SignOn Agent for Linux test version is using an internal 512 bit RSA key.

A licensed version of SignOn Agent allows for using of your own custom generated RSA keys up to a length of 2048 bit.

 

Note: The internal RSA key is only meant for testing and should never be used in production environments for sake of security.